Enterprise Java Security Directions Larry Koved IBM Research T.J. Watson Research Center [email protected]

The O'Reilly Conference on Java - Enterprise Java O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 1

Trademarks Java, Java 2, Enterprise JavaBeans are trademarks or registered trademarks of Sun Microsystems Inc.

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 2

Talk Outline Enterprise Java Beans (EJB) EJB overview EJB 1.1 Security Java Authentication & Authorization Services (JAAS) Java 2 Authorization - brief review JAAS - Authorization Server Managed Security Policy O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 3

Enterprise Java Beans

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 4

Multi-Tier Model Presentation

Business Logic / Rules

Business Objects

Internet

Intranet O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 5

J2EE and EJB Client

Middle Tier Web Server: Servlets, JSP, HTML, XML

Enterprise Information Systems

RDBMS, ERP, Legacy apps.

EJB Server, JNDI, JMS, JavaMail O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 6

What is it? The Enterprise JavaBeans architecture is a component architecture for the development and deployment of component-based distributed business applications. Applications written using the Enterprise JavaBeans architecture are scaleable, transactional, and multi-user secure. These applications may be written once, and deployed on any server platform that supports the Enterprise JavaBeans specification. **Enterprise JavaBeansTM Specification, v1.1, Copyright 1999 by Sun Microsystems, Inc. O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 7

Services Provided By An EJB Container Concurrency Transactions Persistence Distributed objects Naming Security O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 8

Simplified Definition** Enterprise JavaBeans is a standard server-side component model for component-based distributed transaction monitors. **Adapted from Enterprise JavaBeans, by Richard Monson-Haefel. O'Reilly, 1999. O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 9

EJB Components

Portable, reusable, "black box" software. Components can be aggregated to create larger components. O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 10

Remote Method Invocation Server

Client RMI / IIOP

Auth. control point

Stub

Marshalled objects Skeleton

Client code

O'Reilly v5 - Larry Koved

Server code

Copyright 2000 IBM Corp.

Page 11

What is a Transaction Monitor? Satisfies ACID properties: Atomicity: all-or-nothing Consistency: internally consistent Isolation: serializability Durability: survive TP failure

O'Reilly v5 - Larry Koved

Specifically, we're interested in transaction monitors for a distributed multi-tiered computing model. Copyright 2000 IBM Corp.

Page 12

EJB Roles Enterprise Bean Provider Application Assembler Deployer System Administrator EJB Server Provider EJB Container Provider O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 13

Development / Deployment Process System Enterprise Bean Application Deployer Administrator Providers Assembler

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 14

Enterprise Bean Provider

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 15

Example Automobile Bean EJB Server EJB Container

Client Home interface

Home interface

Home stub

EJB home

Remote interface

Remote interface

EJB object stub

O'Reilly v5 - Larry Koved

Bean class

EJB object

Copyright 2000 IBM Corp.

Page 16

Classes and Interfaces: Home interface Lifecycle methods: new, remove and find beans Extends javax.ejb.EJBHome Which extends java.rmi.Remote The actual implementation of the interface is called an EJB home. O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 17

Classes and Interfaces: Remote Interface Externally defined business methods Extends javax.ejb.EJBObject Which extends java.rmi.Remote The actual implementation of the interface is called an EJB object. O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 18

Classes and Interfaces: Bean class Business methods Must implement the method signatures defined in the remote interface, and some methods in home interface Extends either javax.ejb.EntityBean javax.ejb.SessionBean O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 19

FYI - EJB Flavors Entity Beans Instances usually persistent Bean vs. Container managed persistence Session Beans Non-persistent instances Both are transactional O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 20

Classes and Interfaces: Primary key Only used by Entity Beans Used as a index into the database Implements Serializable

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 21

Example: Remote Interface Automobile Bean public interface Automobile extends javax.ejb.EJBOjbect { public String getOwner() throws RemoteException; public void setOwner(String owner) ...;

public AutoVIN getAutoVIN() ...; public void setAutoVIN(AutoVIN vin) ...; }

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 22

Example: Home Interface Automobile Bean public interface AutomobileHome extends javax.ejb.EJBHome { public Automobile create(AutoVIN vin) throws RemoteException; public Automobile findByPrimaryKey(AutoVIN vin) ...; }

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 23

Example: EJB Automobile Bean public interface AutomobileBean extends javax.ejb.EntityBean { public AutoVIN vin; public Owner own; . . . public String getOwner() { . . . } public void setOwner(String owner){...}; public AutoVIN getAutoVIN() { . . . }; public void setAutoVIN(AutoVIN vin){...}; ... O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 24

Example: EJB (continued) Automobile Bean public public public public public public public public public

ejbCreate(AutoVIN newVIN){ ... }; ejbPostCreate(...) { ... }; setEntityContext(EntityContext c) unsetEntityContext() { ...}; ejbActivate() { ... }; ejbPassivate() { ... }; ejbLoad() { ... }; ejbStore() { ... }; ejbRemove() { ... };

... } O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 25

EJB Security Mostly, it is about a process

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 26

EJB Security Defined with respect to each of the EJB "Roles": Provider, Assembler, Deployer, Administrator, Container Deployment Descriptor "Security Roles Security "Role Refs"

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 27

Objectives Be policy driven Not hardcoded Reduce application developer's burden Delegated responsibility to the "more qualified EJB roles" Effective security policy defined by deployer and administrator roles Allow bean portability between containers O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 28

4 Perspectives of EJB Security Policy-based method level authorization Application security APIs Delegation Other security aspects of EJB 1.1

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 29

Policy Based Authorization: Bean Provider Method level authorization: No application code required Beans accessed only thru container

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 30

Policy Based Authorization: Application Assembler An application is composed of one or more Enterprise Java Beans Typical application is one or more EJBs in an EJB-JAR file

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 31

Application Assembler* The security view consists of a set of security roles. A security role is a semantic grouping of permissions that a given type of users of an application must have in order to successfully use the application. The Application Assembler defines method permissions for each security role. A method permission is a permission to invoke a specified group of methods of the enterprise bean's home and remote interfaces. It is important to keep in mind that the security roles are used to define the logical security view of an application. They should not be confused with the user groups, users, principals, and other concepts that exist in the target enterprise's operational environment. * Enterprise JavaBeans Specification, v1.1, section 15.3 O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 32

Application Assembler* In special cases, a qualified Deployer may change the definition of the security roles for an application, or completely ignore them and secure the application using a different mechanism that is specific to the operational environment.

* Enterprise JavaBeans Specification, v1.1, section 15.3 O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 33

Application Assembler: Security Roles One or more (logical) security roles are optionally defined in the deployment descriptor. Groups of methods in the home/remote interfaces are assigned to the roles. Methods require caller to be in one or more of the "security roles". Scope of the security-role names: The ejb-jar file. Role names apply to all EJBs in the file O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 34

Application Assembler: Defining Role Names ... For employees who provide service to customers (counter clerks), or provide back office support (e.g., registration renewal by mail). DmvClerk This role is intended for DMV clerk supervisors. DmvSupervisor ... O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 35

Application Assembler: Method Permissions ... DmvSupervisor AutomobileBean *

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 36

Application Assembler: Method Permissions

... DmvClerk AutomobileBean getOwner AutomobileBean setOwner AutomobileBean getVIN AutomobileBean EJBCreate O'Reilly v5 - Larry Koved

...

Copyright 2000 IBM Corp.

Page 37

Application Assembler: Method Permissions ... WebAccess AutomobileBean findByPrimaryKey AutomobileBean getOwner

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 38

Policy Based Authorization: Deployer

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 39

Policy Based Authorization: Deployer Responsible for installing the application configured by the Application Assembler.

Container provides tools to read and process the deployment descriptor. "Hints" from the app. assembler

O'Reilly v5 - Larry Koved

Assign security domain / principal realm to the application Users/groups to "security roles" Copyright 2000 IBM Corp.

Page 40

Policy Based Authorization: Deployer

O'Reilly v5 - Larry Koved

Assignment of users / groups is done on a per application (ejb-jar) instance basis: Different ejb-jars with the same security role names may have different security mappings in the same container. Multiple instances of an EJB are allowed in the same container Role/principal mappings may be different Copyright 2000 IBM Corp.

Page 41

Policy Based Authorization: EJB Container Provider Provides Deployer security tools Must enforce policies defined by Deployer Authentication of principals Access authorization for Bean methods Client must be assigned to at least one security role Access to beans only via home/remote interface O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 42

Policy Based Authorization: System Administrator Administration of principals Principal mapping

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 43

4 Perspectives of EJB Security Policy-based method level authorization Application security APIs Delegation Other security aspects of EJB 1.1

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 44

Application Security APIs: Bean Provider Security API's Available when really needed (See next page) Unable to influence principal Policy defined by deployer / admin Enforced by container Underlying OS principal undefined Deployment descriptor conveys info O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 45

Application Security APIs: Bean Provider public interface javax.ejb.EJBContext { // E.g., use as a key for DB lookup. // The name returned is dependent on the // container implementation.

java.security.Principal getCallerPrincipal(); // See RoleRef in deployment descriptor. // Perhaps use for role-limiting resource access

boolean isCallerInRole(String roleName); } O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 46

Deployment Descriptor: Security-Role-Ref ... AutomobileBean com.WeAreCars.AutomobileBean ...

Blah, blah, blah. Not for tool automation.

DmvRecordViewing ... ... O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 47

isCallerInRole example ... // Does caller have the DMVRecordViewing role? if ( context.isCallerInRole("DmvRecordViewing") ) { // action if in DmvRecordViewing ... } else { // action otherwise } ... O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 48

Deployment Descriptor: Security-Role-Ref Scope of the security-role-ref names: The or in which the security-role-ref is defined.

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 49

Application Security APIs: Application Assembler An application is composed of one or more Enterprise Java Beans. "security-role-ref" for each EJB are mapped to "security roles" within an EJB-JAR Map EJB scoped security-role-ref names to EJB-JAR scoped "security role" names O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 50

Deployment Descriptor: Defining Role Names ... For customers (World Wide Web / Internet), or want to avoid the DMV offices or traditional mail services. WebAccess ...

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 51

Deployment Descriptor: Method Permissions ... WebAccess AutomobileBean findByPrimaryKey AutomobileBean getOwner

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 52

Deployment Descriptor: Role-Ref / Role Linking ... AutomobileBean com.WeAreCars.AutomobileBean ... Blah, blah, blah. Ignored by tools.

DmvRecordViewing WebAccess ... ... O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 53

4 Perspecties of EJB Security Policy-based method level authorization Application security APIs Delegation Method Invocation

Method Invocation

Other security aspects of EJB 1.1 O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 54

Delegation: Bean Provider Unable to influence delegation Effective security policy defined by deployer / administrator Enforced by container Underlying OS principal undefined Deployment descriptor conveys info

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 55

Delegation: Deployer Principal delegation is configured by the deployer Nominally, propagate the caller principal (though, not guaranteed) Assembler may have provided comments on how container should perform delegation Unspecified delegation semantics result in value returned by getCallerPrincipal() being ill defined O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 56

Delegation: EJB Container Provider Support delegation / principal mapping as defined by Deployer Support javax.ejb.EJBContext isCallerInRole(), getCallerPrincipal() Principal mapping across domains

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 57

EJB Client

Transactional clients not allowed to change principal within transaction Session Bean's client not allowed to change principal for duration of communication with the session object If transaction requests arrive from multiple clients, they must all have the same security context

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 58

4 Perspectives of EJB Security Policy-based method level authorization Application security APIs Delegation Other security aspects of EJB 1.1

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 59

Architecture / Implementation EJB architecture does not specify the security architecture / implementation for the container Specifies expected behavior

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 60

Bean Provider: Programming Restrictions Read/write to static fields (final) Thread management / synchronization AWT File I/O Socket listen / accept / multicast Reflection to bypass security/safety ClassLoaders, define new classes/packages Socket factories Native libraries Serialization substitution Security policy access / control objects Entity/Session Context.getEJBObject() O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 61

Bean Provider: Programming Restrictions - Java 2 Permission Name AllPermission AWTPermission FilePermission NetPermission PropertyPermission ReflectPermission RuntimePermission SecurityPermission SerializablePermission SocketPermission

O'Reilly v5 - Larry Koved

EJB Container Policy deny deny deny deny deny deny grant "queuePrintJob"; else deny deny deny grant "connect", "*"; else deny

Copyright 2000 IBM Corp.

Page 62

Deployer Assignment of users / groups is done on a per application (ejb-jar) instance basis: Different ejb-jars with the same role names may have different security mappings in the container. Multiple instances of the same Bean may be colocated in the same container O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 63

EJB Container Provider Provides Deployer security tools Support one or more security domains / principal realms Secure communication with remote clients

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 64

EJB Container Provider Provide secure access to resource managers Audit trail Beans can not access container / resources except through defined container APIs EJB APIs Standard extension APIs O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 65

System Administrator Administration of principals Principal mapping Audit trail review

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 66

Java Authentication and Authorization Services (JAAS)

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 67

What is JAAS? Address Java 2 shortcomings: Authentication services Principal-based authorization Enable integration of authentication with existing security services Builds upon Java 2 CodeSource authorization AccessController O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 68

Key elements: Subject - any user of computing Principal - names of the user Credentials - security attributes E.g., for authentication PGP, X509, SSO, Kerberos, etc. public / private

O'Reilly v5 - Larry Koved

LoginModules Pluggable, Stackable Application independent of authentication services Copyright 2000 IBM Corp.

Page 69

Java 2 Standard Edition Security: Review CodeSource Authorization

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 70

CodeSource Combination of a set of Signers (certificates) and a code base URL

Certificate 1 Certificate 2

...

Code Base URL

Certificate N

CodeSource O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 71

Policy A Permission is an access right to a protected resource In Java 2, Permissions are stored in the Policy object The reference implementation is file based

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 72

Sample Java 2 Policy grant entries Describe Permissions granted to CodeSources An entry may contain one or more Permissions grant signedBy "mykey", codeBase "file:E:/ORA/app/*"

{

permission java.lang.RuntimePermission "queuePrintJob"; };

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 73

ProtectionDomain A ProtectionDomain contains: A CodeSource The Permissions granted to the CodeSource SecureClassLoader assigns a ProtectionDomain to each loaded class Classes with different CodeSources belong to different ProtectionDomains

Certificate 1 Certificate 2

...

Code Base URL

Permission 1 Permission 2

...

Permission M

Certificate N

PermissionCollections

CodeSource

ProtectionDomain O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 74

Classes, ProtectionDomains & Permissions Each class is assigned to only one ProtectionDomain As determined by its CodeSource Each ProtectionDomain may include zero or more Permissions

O'Reilly v5 - Larry Koved

Multiple classes from the same CodeSource are assigned the same ProtectionDomain Copyright 2000 IBM Corp.

Page 75

Example Guard on Resource .Protected . . /* Check to see if the calling code is authorized. If not, a SecurityException (AccessControlException) will be thrown */ AccessController.checkPermission( new RuntimePermission("user.home") ); // Trusted code starts here. . . . O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 76

The GetProperty Example import java.security.*; class GetProperty { public static void main(String[] args) { String s; try { if (args.length > 0) {

s = System.getProperty(args[0], "name " + args[0] + " not specified"); System.out.println(args[0] + " property value is: " + s); } else { System.out.println("Property name required"); } } catch(Exception e) { System.err.println("Caught exception " + e.toString()); } } O'Reilly v5 - Larry Koved

}

Copyright 2000 IBM Corp.

Page 77

Threads of Execution in Java

O'Reilly v5 - Larry Koved

Each thread in the JVM contains a number of stack frames Each stack frame contains the method instance variables for a method called in the current thread A thread of execution may: Occur completely within a single protection domain May involve application ProtectionDomain(s) and the system ProtectionDomain Copyright 2000 IBM Corp.

Page 78

Check of Current Thread

O'Reilly v5 - Larry Koved

GetProperty.main() java.lang.System.getProperty() java.lang.SecurityManager.checkPropertyAccess() java.security.AccessController.checkPermission() Copyright 2000 IBM Corp.

checkPermission() testing

Calling hierarchy

1. AccessController is in the system ProtectionDomain – Permission is implicitly granted Proceed to the next frame on the thread stack 2. SecurityManager is in the system ProtectionDomain – Permission is implicitly granted Proceed to the next frame on the thread stack 3. System is in the system ProtectionDomain – Permission is implicitly granted Proceed to the next frame on the thread stack 4. GetProperty is in the application domain – Is the permission granted? If yes, then proceed to the next frame on the thread stack If no, throw a SecurityException

Page 79

Determining the Permission Set of a Thread The Permission set of a thread is the intersection of all ProtectionDomains traversed by the execution thread

Ι

i =1 , 2 ,Κ , K j =1 , 2 ,Κ , M i

ProtectionDomain 2

ProtectionDomain 1

O'Reilly v5 - Larry Koved

Perm i , j

ProtectionDomain K

Copyright 2000 IBM Corp.

Page 80

Authorization - Permissions Class1.methodA calls Class2.methodB ProtectionDomain for Class1 = { P1, P3 }

P1

P3 P2 ProtectionDomain for Class2 = { P2, P3 }

checkPermission(P1) fails checkPermission(P2) fails checkPermission(P3) succeeds O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 81

Authorization - Permissions Class1.methodA calls Class2.methodB Calls AccessController.doPrivileged() Class2.methodC ProtectionDomain for Class1 = { P1, P3 }

P1

P3 P2 ProtectionDomain for Class2 = { P2, P3 }

checkPermission(P1) fails checkPermission(P2) succeeds checkPermission(P3) succeeds O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 82

Authorization - Permissions Class1.methodA calls doPrivileged(AccessControlContext({P3,P4})) calls Class2.methodB ProtectionDomain for Class1 = { P1, P3 }

AccessControlContext = {P3, P4}

P4 P1 P3 P2 ProtectionDomain for Class2 = { P2, P3 }

checkPermission(P3) succeeds All others fail. O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 83

Lexical Scoping of Privilege Modification How privileged code works Why it is necessary Algorithm for run-time access control verification

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 84

Why Privileged Code? An application is not allowed to access font files

Application

The system utility to display a document must obtain those fonts on behalf of the user

The application is temporarily enabled to access the font files

System utility

File System O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 85

The Privileged Code Mechanism

O'Reilly v5 - Larry Koved

Caller class – Permission testing not performed Caller class – Permission testing not performed Class called – Permission testing performed Class called – Permission testing performed Class called – Permission testing performed Class called – Permission testing performed Copyright 2000 IBM Corp.

checkPermission() testing

Call hierarchy

doPrivileged() annotates the stack frame AccessController.checkPermission() stops Permission testing at this stack frame ProtectionDomain for the class and all the classes that it calls are checked ProtectionDomain of its callers are not checked

Page 86

Example Privileged Code

O'Reilly v5 - Larry Koved

Must use java.security.PrivilegedAction interface The run() method contains code needing privilege AccessController.doPrivileged() Takes PrivilegedAction object argument Invokes its run() method Returns the run() method's return value Copyright 2000 IBM Corp.

Page 87

Example - Anonymous Inner Class someMethod() { // some normal code here... AccessController.doPrivileged(new PrivilegedAction() { public Object run() { // privileged code goes here, for example: System.loadLibrary("awt"); return null; // nothing to return } } ); // some normal code here... }

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 88

AccessController Algorithm - Stage 1 Build AccessControlContext Build AccessControlContext for use in stage 2 For each class on the thread stack: Get the class's ProtectionDomain If the stack frame is annotated by a doPrivileged(), Exit the loop If the last stack frame checked is not annotated with by a doPrivileged(), Add the ProtectionDomains inherited by the current thread when the current thread was instantiated

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 89

AccessController Algorithm - Stage 2 Check each ProtectionDomain to see whether it contains the Permission being checked If no ProtectionDomains from step1, Return (only fully trusted code is running) For each unique ProtectionDomain P obtained in stage 1, Call P's implies() method with the Permission Does P imply the Permission being checked? If no, Throw an exception Else, Continue O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 90

JAAS / J2SE Authorization Relationship Policy based Uses a "principal" extension Lexically scoped Subject.doAs() & doAsPrivileged take a PrivilegedAction / PrivilegedExceptionAction as an argument But, no doPrivileged() mark O'Reilly v5 - Larry Koved

Authorization algorithm unmodified Copyright 2000 IBM Corp.

Page 91

Sample JAAS Policy Consists of grant entries Describe Permissions granted to CodeSources and Principals Each entry may contain one or more Permissions grant signedBy "mykey", codeBase "file:E:/ORA/app/*"

principal com.esite.WebPrincipal "George" { permission java.lang.RuntimePermission "queuePrintJob"; }; O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 92

Sample JAAS Policy - Roles "Roles" can be assigned to Subjects Authorization performed based on "Role" assigned to subject grant signedBy "mykey", codeBase "file:E:/ORA/app/*"

principal com.eDMV.MethodRole "DMVSupervisor" { permission com.ebank.AccountAccess "CloseAccount"; }; O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 93

Example doAs() Lexically scoped Subject . . . // Authenticate user & build a Subject wUser . . . // Switch to the authenticated user Subject.doAs(wUser, new PrivilegedAction() { public Object Run(){ // Work to be done as wUser requiring // the addition of the user's privileges return processUserRequest(); } } // end of PrivilegedAction ); O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 94

Subject.doAs() Effect Extends the effective ProtectionDomains of methods called after the Subject.doAs() call

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 95

Example scenario Thread / Class

Permissions

Effective Thread Permission

Class 1 { P1, P2 } Class 2 { P1, P3 }

{ P1, P2 } { P1 }

Class 3 { P2 } Class 4 { P1, P5 }

{} {}

checkPermission(P1) fails

Pc1 3 Pc2 3 Pc3 3 Pc4 = { } O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 96

Augmented with doAs() Thread / Class

Class 1 Class 2 doAs(X) Class 3 Class 4

Permissions

Effective Thread Permission

{ P1, P2 } { P1, P2 } { P1, P3 } { P1 } { P1, P4 } { P2, P1, P4 } { P1 } { P1, P5, P4 } { P1 }

checkPermission(P1) succeeds!

Pc1 3 Pc2 3 (Pc3 U PX) 3 (Pc4 U PX) = { P1 } O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 97

Another doAs() scenario Thread / Class

Permissions

Effective Thread Permission

Class 1 { P1, P2 } { P1, P2 } doAs(X) { P2, P3 } Class 2 { P1, P2, P3 } { P1, P2 }

checkPermission(P2) succeeds!

Pc1 3 (Pc2 U PX) = { P1, P2 } O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 98

Another doAs() scenario (con't) Thread / Class

Permissions

Effective Thread Permission

Class 1 { P1, P2 } { P1, P2 } doAs(X) { P2, P3 } Class 2 { P1, P2, P3 } { P1, P2 } doAs(Y) { P1, P3 } Class 2 { P1, P3 } { P1 } checkPermission(P2) fails!

Pc13(Pc2UPX)3(Pc2UPY)={P1} O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 99

Summary Subject.doAs() extends the ProtectionDomains of all classes / methods which the PrivilegedAction object calls The basic CodeSource authorization algorithm is unmodified

O'Reilly v5 - Larry Koved

Subsequent Subject.doAs() calls replace the Subject in the authorization algorithm Copyright 2000 IBM Corp.

Page 100

Example: EJB Authorization Using JAAS EJBRole classes EJBMethodPermission class for EJB method authorization

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 101

EJBRole public class EJBRole extends Principal { private String name; // role name public EJBRole(String roleName) { name = roleName

} public String getName() { return name;

} ...

}

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 102

EJBMethodPermission public class EJBMethodPermission extends Permission { public EJBMethodPermission(String roleName) { super(roleName); } public boolean implies(Permission p) { return equals(p) }; public boolean equals(Permission p) { ... if (! (p instanceof EJBMethodPermission) ) return false; if ( !getName().equals(p.getName()) ) return false; return true; } ... }

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 103

EJBPrivilegedAction public EJBPrivilegedAction implements PrivilegedAction { private EJBMethodPermission methodPermission; private Method ejbMethod; private Object ejbMethodArgs[];

public EJBPrivilegedAction( String deployedEjbApplicationName, String className, String methodName, Method ejbMethodToCall, Object methodArgs[] ){

methodPermission = new EJBMethodPermission( deployedEjbApplicationName + className + methodName); ejbMethod = ejbMethodToCall; ejbMethodArgs = methodArgs; } O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 104

EJBPrivilegedAction public Object run() { SecurityManager sm = System.getSecurityManager(); sm.checkPermission(methodPermission); // use reflection to make the actual method invocation ...

}

}

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 105

Build an EJB Subject ... Subject EjbSubject = new Subject(); Set principals = EjbSubject.getPrincipals(); // Get Role names from the authenticator String [] roleNames = authenticator.getRoleNames(); for (i = 0; i < roleNames.length; i++) principals.add(new EJBRole(roleNames[i]); ...

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 106

EJB Method Authorization and Invocation ... // ejbPrivilegedAction is an array of privileged actions // that implement authorization and call the // associated EJB object. For efficiency, this array // was previously constructed. // use try / catch / finally block to handle // authorization or other failure Subject.doAs(EjbSubject, ejbPrivilegedAction[i]); ... O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 107

Server Managed Security Policy

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 108

Security Policy - Reference Authorization policy nominally stored in an instance of java.security.Policy Reference implementation is file based Loads from lib/security/java.policy and ${user.home}/.java.policy

O'Reilly v5 - Larry Koved

Keystore is file based Location can be defined in the java.policy file Copyright 2000 IBM Corp.

Page 109

Security Policy - Configuration Security configuration parameters stored in lib/security/java.security policy.url.x specifies an enumerated set of URLS from which to load Java security policy policy.url.1=file:/${java.home}/lib/security/java.policy policy.url.2=file:/${user.home}/.java.policy

Based on the flat file format Change/add URLs so policy is server-based policy.url.1=http://CentralServer/javapolicy/java.policy O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 110

Security Policy - Policy class Security configuration parameters stored in lib/security/java.security policy.provider specifies the class that holds/defines security policy policy.provider=sun.security.provider.PolicyFile

Replace class name with alternative XML based PolicyDirector based

O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 111

Security Policy - Keystore Certificate keys specified in the policy file keystore "" Absolute location keystore "http://myserver/ora/keystore Relative to the policy file location keystore ".keystore" Only first keystore allowed Only first keystore statement is processed O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 112

Summary Update java.security file Specify URL(s) for new locations of the java.policy Place keystore location in the java.policy file Update java.security file to specify new Policy object implementation class O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 113

Resources Java 2 Network Security Marco Pistoia, et al Prentice Hall, 1999 ISBN 0-13-015592-6 http://www.research.ibm.com/compsci/security/javasec/ http://java.sun.com/security http://java.sun.com/products/jaas http://java.sun.com/products/ejb Enterprise JavaBeansTM Specification, v1.1 Security: chapter 15 Deployment descriptor: chapter 16 Runtime environment: chapter 18 O'Reilly v5 - Larry Koved

Copyright 2000 IBM Corp.

Page 114