Enterprise Java Security Directions Larry Koved IBM Research T.J. Watson Research Center
[email protected]
The O'Reilly Conference on Java - Enterprise Java O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 1
Trademarks Java, Java 2, Enterprise JavaBeans are trademarks or registered trademarks of Sun Microsystems Inc.
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 2
Talk Outline Enterprise Java Beans (EJB) EJB overview EJB 1.1 Security Java Authentication & Authorization Services (JAAS) Java 2 Authorization - brief review JAAS - Authorization Server Managed Security Policy O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 3
Enterprise Java Beans
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 4
Multi-Tier Model Presentation
Business Logic / Rules
Business Objects
Internet
Intranet O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 5
J2EE and EJB Client
Middle Tier Web Server: Servlets, JSP, HTML, XML
Enterprise Information Systems
RDBMS, ERP, Legacy apps.
EJB Server, JNDI, JMS, JavaMail O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 6
What is it? The Enterprise JavaBeans architecture is a component architecture for the development and deployment of component-based distributed business applications. Applications written using the Enterprise JavaBeans architecture are scaleable, transactional, and multi-user secure. These applications may be written once, and deployed on any server platform that supports the Enterprise JavaBeans specification. **Enterprise JavaBeansTM Specification, v1.1, Copyright 1999 by Sun Microsystems, Inc. O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 7
Services Provided By An EJB Container Concurrency Transactions Persistence Distributed objects Naming Security O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 8
Simplified Definition** Enterprise JavaBeans is a standard server-side component model for component-based distributed transaction monitors. **Adapted from Enterprise JavaBeans, by Richard Monson-Haefel. O'Reilly, 1999. O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 9
EJB Components
Portable, reusable, "black box" software. Components can be aggregated to create larger components. O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 10
Remote Method Invocation Server
Client RMI / IIOP
Auth. control point
Stub
Marshalled objects Skeleton
Client code
O'Reilly v5 - Larry Koved
Server code
Copyright 2000 IBM Corp.
Page 11
What is a Transaction Monitor? Satisfies ACID properties: Atomicity: all-or-nothing Consistency: internally consistent Isolation: serializability Durability: survive TP failure
O'Reilly v5 - Larry Koved
Specifically, we're interested in transaction monitors for a distributed multi-tiered computing model. Copyright 2000 IBM Corp.
Page 12
EJB Roles Enterprise Bean Provider Application Assembler Deployer System Administrator EJB Server Provider EJB Container Provider O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 13
Development / Deployment Process System Enterprise Bean Application Deployer Administrator Providers Assembler
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 14
Enterprise Bean Provider
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 15
Example Automobile Bean EJB Server EJB Container
Client Home interface
Home interface
Home stub
EJB home
Remote interface
Remote interface
EJB object stub
O'Reilly v5 - Larry Koved
Bean class
EJB object
Copyright 2000 IBM Corp.
Page 16
Classes and Interfaces: Home interface Lifecycle methods: new, remove and find beans Extends javax.ejb.EJBHome Which extends java.rmi.Remote The actual implementation of the interface is called an EJB home. O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 17
Classes and Interfaces: Remote Interface Externally defined business methods Extends javax.ejb.EJBObject Which extends java.rmi.Remote The actual implementation of the interface is called an EJB object. O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 18
Classes and Interfaces: Bean class Business methods Must implement the method signatures defined in the remote interface, and some methods in home interface Extends either javax.ejb.EntityBean javax.ejb.SessionBean O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 19
FYI - EJB Flavors Entity Beans Instances usually persistent Bean vs. Container managed persistence Session Beans Non-persistent instances Both are transactional O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 20
Classes and Interfaces: Primary key Only used by Entity Beans Used as a index into the database Implements Serializable
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 21
Example: Remote Interface Automobile Bean public interface Automobile extends javax.ejb.EJBOjbect { public String getOwner() throws RemoteException; public void setOwner(String owner) ...;
public AutoVIN getAutoVIN() ...; public void setAutoVIN(AutoVIN vin) ...; }
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 22
Example: Home Interface Automobile Bean public interface AutomobileHome extends javax.ejb.EJBHome { public Automobile create(AutoVIN vin) throws RemoteException; public Automobile findByPrimaryKey(AutoVIN vin) ...; }
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 23
Example: EJB Automobile Bean public interface AutomobileBean extends javax.ejb.EntityBean { public AutoVIN vin; public Owner own; . . . public String getOwner() { . . . } public void setOwner(String owner){...}; public AutoVIN getAutoVIN() { . . . }; public void setAutoVIN(AutoVIN vin){...}; ... O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 24
Example: EJB (continued) Automobile Bean public public public public public public public public public
ejbCreate(AutoVIN newVIN){ ... }; ejbPostCreate(...) { ... }; setEntityContext(EntityContext c) unsetEntityContext() { ...}; ejbActivate() { ... }; ejbPassivate() { ... }; ejbLoad() { ... }; ejbStore() { ... }; ejbRemove() { ... };
... } O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 25
EJB Security Mostly, it is about a process
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 26
EJB Security Defined with respect to each of the EJB "Roles": Provider, Assembler, Deployer, Administrator, Container Deployment Descriptor "Security Roles Security "Role Refs"
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 27
Objectives Be policy driven Not hardcoded Reduce application developer's burden Delegated responsibility to the "more qualified EJB roles" Effective security policy defined by deployer and administrator roles Allow bean portability between containers O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 28
4 Perspectives of EJB Security Policy-based method level authorization Application security APIs Delegation Other security aspects of EJB 1.1
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 29
Policy Based Authorization: Bean Provider Method level authorization: No application code required Beans accessed only thru container
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 30
Policy Based Authorization: Application Assembler An application is composed of one or more Enterprise Java Beans Typical application is one or more EJBs in an EJB-JAR file
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 31
Application Assembler* The security view consists of a set of security roles. A security role is a semantic grouping of permissions that a given type of users of an application must have in order to successfully use the application. The Application Assembler defines method permissions for each security role. A method permission is a permission to invoke a specified group of methods of the enterprise bean's home and remote interfaces. It is important to keep in mind that the security roles are used to define the logical security view of an application. They should not be confused with the user groups, users, principals, and other concepts that exist in the target enterprise's operational environment. * Enterprise JavaBeans Specification, v1.1, section 15.3 O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 32
Application Assembler* In special cases, a qualified Deployer may change the definition of the security roles for an application, or completely ignore them and secure the application using a different mechanism that is specific to the operational environment.
* Enterprise JavaBeans Specification, v1.1, section 15.3 O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 33
Application Assembler: Security Roles One or more (logical) security roles are optionally defined in the deployment descriptor. Groups of methods in the home/remote interfaces are assigned to the roles. Methods require caller to be in one or more of the "security roles". Scope of the security-role names: The ejb-jar file. Role names apply to all EJBs in the file O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 34
Application Assembler: Defining Role Names ... For employees who provide service to customers (counter clerks), or provide back office support (e.g., registration renewal by mail). DmvClerk This role is intended for DMV clerk supervisors. DmvSupervisor ... O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 35
Application Assembler: Method Permissions ... DmvSupervisor AutomobileBean *
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 36
Application Assembler: Method Permissions
... DmvClerk AutomobileBean getOwner AutomobileBean setOwner AutomobileBean getVIN AutomobileBean EJBCreate O'Reilly v5 - Larry Koved
...
Copyright 2000 IBM Corp.
Page 37
Application Assembler: Method Permissions ... WebAccess AutomobileBean findByPrimaryKey AutomobileBean getOwner
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 38
Policy Based Authorization: Deployer
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 39
Policy Based Authorization: Deployer Responsible for installing the application configured by the Application Assembler.
Container provides tools to read and process the deployment descriptor. "Hints" from the app. assembler
O'Reilly v5 - Larry Koved
Assign security domain / principal realm to the application Users/groups to "security roles" Copyright 2000 IBM Corp.
Page 40
Policy Based Authorization: Deployer
O'Reilly v5 - Larry Koved
Assignment of users / groups is done on a per application (ejb-jar) instance basis: Different ejb-jars with the same security role names may have different security mappings in the same container. Multiple instances of an EJB are allowed in the same container Role/principal mappings may be different Copyright 2000 IBM Corp.
Page 41
Policy Based Authorization: EJB Container Provider Provides Deployer security tools Must enforce policies defined by Deployer Authentication of principals Access authorization for Bean methods Client must be assigned to at least one security role Access to beans only via home/remote interface O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 42
Policy Based Authorization: System Administrator Administration of principals Principal mapping
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 43
4 Perspectives of EJB Security Policy-based method level authorization Application security APIs Delegation Other security aspects of EJB 1.1
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 44
Application Security APIs: Bean Provider Security API's Available when really needed (See next page) Unable to influence principal Policy defined by deployer / admin Enforced by container Underlying OS principal undefined Deployment descriptor conveys info O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 45
Application Security APIs: Bean Provider public interface javax.ejb.EJBContext { // E.g., use as a key for DB lookup. // The name returned is dependent on the // container implementation.
java.security.Principal getCallerPrincipal(); // See RoleRef in deployment descriptor. // Perhaps use for role-limiting resource access
boolean isCallerInRole(String roleName); } O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 46
Deployment Descriptor: Security-Role-Ref ... AutomobileBean com.WeAreCars.AutomobileBean ...
Blah, blah, blah. Not for tool automation.
DmvRecordViewing ... ... O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 47
isCallerInRole example ... // Does caller have the DMVRecordViewing role? if ( context.isCallerInRole("DmvRecordViewing") ) { // action if in DmvRecordViewing ... } else { // action otherwise } ... O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 48
Deployment Descriptor: Security-Role-Ref Scope of the security-role-ref names: The or in which the security-role-ref is defined.
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 49
Application Security APIs: Application Assembler An application is composed of one or more Enterprise Java Beans. "security-role-ref" for each EJB are mapped to "security roles" within an EJB-JAR Map EJB scoped security-role-ref names to EJB-JAR scoped "security role" names O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 50
Deployment Descriptor: Defining Role Names ... For customers (World Wide Web / Internet), or want to avoid the DMV offices or traditional mail services. WebAccess ...
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 51
Deployment Descriptor: Method Permissions ... WebAccess AutomobileBean findByPrimaryKey AutomobileBean getOwner
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 52
Deployment Descriptor: Role-Ref / Role Linking ... AutomobileBean com.WeAreCars.AutomobileBean ... Blah, blah, blah. Ignored by tools.
DmvRecordViewing WebAccess ... ... O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 53
4 Perspecties of EJB Security Policy-based method level authorization Application security APIs Delegation Method Invocation
Method Invocation
Other security aspects of EJB 1.1 O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 54
Delegation: Bean Provider Unable to influence delegation Effective security policy defined by deployer / administrator Enforced by container Underlying OS principal undefined Deployment descriptor conveys info
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 55
Delegation: Deployer Principal delegation is configured by the deployer Nominally, propagate the caller principal (though, not guaranteed) Assembler may have provided comments on how container should perform delegation Unspecified delegation semantics result in value returned by getCallerPrincipal() being ill defined O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 56
Delegation: EJB Container Provider Support delegation / principal mapping as defined by Deployer Support javax.ejb.EJBContext isCallerInRole(), getCallerPrincipal() Principal mapping across domains
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 57
EJB Client
Transactional clients not allowed to change principal within transaction Session Bean's client not allowed to change principal for duration of communication with the session object If transaction requests arrive from multiple clients, they must all have the same security context
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 58
4 Perspectives of EJB Security Policy-based method level authorization Application security APIs Delegation Other security aspects of EJB 1.1
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 59
Architecture / Implementation EJB architecture does not specify the security architecture / implementation for the container Specifies expected behavior
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 60
Bean Provider: Programming Restrictions Read/write to static fields (final) Thread management / synchronization AWT File I/O Socket listen / accept / multicast Reflection to bypass security/safety ClassLoaders, define new classes/packages Socket factories Native libraries Serialization substitution Security policy access / control objects Entity/Session Context.getEJBObject() O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 61
Bean Provider: Programming Restrictions - Java 2 Permission Name AllPermission AWTPermission FilePermission NetPermission PropertyPermission ReflectPermission RuntimePermission SecurityPermission SerializablePermission SocketPermission
O'Reilly v5 - Larry Koved
EJB Container Policy deny deny deny deny deny deny grant "queuePrintJob"; else deny deny deny grant "connect", "*"; else deny
Copyright 2000 IBM Corp.
Page 62
Deployer Assignment of users / groups is done on a per application (ejb-jar) instance basis: Different ejb-jars with the same role names may have different security mappings in the container. Multiple instances of the same Bean may be colocated in the same container O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 63
EJB Container Provider Provides Deployer security tools Support one or more security domains / principal realms Secure communication with remote clients
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 64
EJB Container Provider Provide secure access to resource managers Audit trail Beans can not access container / resources except through defined container APIs EJB APIs Standard extension APIs O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 65
System Administrator Administration of principals Principal mapping Audit trail review
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 66
Java Authentication and Authorization Services (JAAS)
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 67
What is JAAS? Address Java 2 shortcomings: Authentication services Principal-based authorization Enable integration of authentication with existing security services Builds upon Java 2 CodeSource authorization AccessController O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 68
Key elements: Subject - any user of computing Principal - names of the user Credentials - security attributes E.g., for authentication PGP, X509, SSO, Kerberos, etc. public / private
O'Reilly v5 - Larry Koved
LoginModules Pluggable, Stackable Application independent of authentication services Copyright 2000 IBM Corp.
Page 69
Java 2 Standard Edition Security: Review CodeSource Authorization
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 70
CodeSource Combination of a set of Signers (certificates) and a code base URL
Certificate 1 Certificate 2
...
Code Base URL
Certificate N
CodeSource O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 71
Policy A Permission is an access right to a protected resource In Java 2, Permissions are stored in the Policy object The reference implementation is file based
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 72
Sample Java 2 Policy grant entries Describe Permissions granted to CodeSources An entry may contain one or more Permissions grant signedBy "mykey", codeBase "file:E:/ORA/app/*"
{
permission java.lang.RuntimePermission "queuePrintJob"; };
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 73
ProtectionDomain A ProtectionDomain contains: A CodeSource The Permissions granted to the CodeSource SecureClassLoader assigns a ProtectionDomain to each loaded class Classes with different CodeSources belong to different ProtectionDomains
Certificate 1 Certificate 2
...
Code Base URL
Permission 1 Permission 2
...
Permission M
Certificate N
PermissionCollections
CodeSource
ProtectionDomain O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 74
Classes, ProtectionDomains & Permissions Each class is assigned to only one ProtectionDomain As determined by its CodeSource Each ProtectionDomain may include zero or more Permissions
O'Reilly v5 - Larry Koved
Multiple classes from the same CodeSource are assigned the same ProtectionDomain Copyright 2000 IBM Corp.
Page 75
Example Guard on Resource .Protected . . /* Check to see if the calling code is authorized. If not, a SecurityException (AccessControlException) will be thrown */ AccessController.checkPermission( new RuntimePermission("user.home") ); // Trusted code starts here. . . . O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 76
The GetProperty Example import java.security.*; class GetProperty { public static void main(String[] args) { String s; try { if (args.length > 0) {
s = System.getProperty(args[0], "name " + args[0] + " not specified"); System.out.println(args[0] + " property value is: " + s); } else { System.out.println("Property name required"); } } catch(Exception e) { System.err.println("Caught exception " + e.toString()); } } O'Reilly v5 - Larry Koved
}
Copyright 2000 IBM Corp.
Page 77
Threads of Execution in Java
O'Reilly v5 - Larry Koved
Each thread in the JVM contains a number of stack frames Each stack frame contains the method instance variables for a method called in the current thread A thread of execution may: Occur completely within a single protection domain May involve application ProtectionDomain(s) and the system ProtectionDomain Copyright 2000 IBM Corp.
Page 78
Check of Current Thread
O'Reilly v5 - Larry Koved
GetProperty.main() java.lang.System.getProperty() java.lang.SecurityManager.checkPropertyAccess() java.security.AccessController.checkPermission() Copyright 2000 IBM Corp.
checkPermission() testing
Calling hierarchy
1. AccessController is in the system ProtectionDomain – Permission is implicitly granted Proceed to the next frame on the thread stack 2. SecurityManager is in the system ProtectionDomain – Permission is implicitly granted Proceed to the next frame on the thread stack 3. System is in the system ProtectionDomain – Permission is implicitly granted Proceed to the next frame on the thread stack 4. GetProperty is in the application domain – Is the permission granted? If yes, then proceed to the next frame on the thread stack If no, throw a SecurityException
Page 79
Determining the Permission Set of a Thread The Permission set of a thread is the intersection of all ProtectionDomains traversed by the execution thread
Ι
i =1 , 2 ,Κ , K j =1 , 2 ,Κ , M i
ProtectionDomain 2
ProtectionDomain 1
O'Reilly v5 - Larry Koved
Perm i , j
ProtectionDomain K
Copyright 2000 IBM Corp.
Page 80
Authorization - Permissions Class1.methodA calls Class2.methodB ProtectionDomain for Class1 = { P1, P3 }
P1
P3 P2 ProtectionDomain for Class2 = { P2, P3 }
checkPermission(P1) fails checkPermission(P2) fails checkPermission(P3) succeeds O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 81
Authorization - Permissions Class1.methodA calls Class2.methodB Calls AccessController.doPrivileged() Class2.methodC ProtectionDomain for Class1 = { P1, P3 }
P1
P3 P2 ProtectionDomain for Class2 = { P2, P3 }
checkPermission(P1) fails checkPermission(P2) succeeds checkPermission(P3) succeeds O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 82
Authorization - Permissions Class1.methodA calls doPrivileged(AccessControlContext({P3,P4})) calls Class2.methodB ProtectionDomain for Class1 = { P1, P3 }
AccessControlContext = {P3, P4}
P4 P1 P3 P2 ProtectionDomain for Class2 = { P2, P3 }
checkPermission(P3) succeeds All others fail. O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 83
Lexical Scoping of Privilege Modification How privileged code works Why it is necessary Algorithm for run-time access control verification
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 84
Why Privileged Code? An application is not allowed to access font files
Application
The system utility to display a document must obtain those fonts on behalf of the user
The application is temporarily enabled to access the font files
System utility
File System O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 85
The Privileged Code Mechanism
O'Reilly v5 - Larry Koved
Caller class – Permission testing not performed Caller class – Permission testing not performed Class called – Permission testing performed Class called – Permission testing performed Class called – Permission testing performed Class called – Permission testing performed Copyright 2000 IBM Corp.
checkPermission() testing
Call hierarchy
doPrivileged() annotates the stack frame AccessController.checkPermission() stops Permission testing at this stack frame ProtectionDomain for the class and all the classes that it calls are checked ProtectionDomain of its callers are not checked
Page 86
Example Privileged Code
O'Reilly v5 - Larry Koved
Must use java.security.PrivilegedAction interface The run() method contains code needing privilege AccessController.doPrivileged() Takes PrivilegedAction object argument Invokes its run() method Returns the run() method's return value Copyright 2000 IBM Corp.
Page 87
Example - Anonymous Inner Class someMethod() { // some normal code here... AccessController.doPrivileged(new PrivilegedAction() { public Object run() { // privileged code goes here, for example: System.loadLibrary("awt"); return null; // nothing to return } } ); // some normal code here... }
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 88
AccessController Algorithm - Stage 1 Build AccessControlContext Build AccessControlContext for use in stage 2 For each class on the thread stack: Get the class's ProtectionDomain If the stack frame is annotated by a doPrivileged(), Exit the loop If the last stack frame checked is not annotated with by a doPrivileged(), Add the ProtectionDomains inherited by the current thread when the current thread was instantiated
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 89
AccessController Algorithm - Stage 2 Check each ProtectionDomain to see whether it contains the Permission being checked If no ProtectionDomains from step1, Return (only fully trusted code is running) For each unique ProtectionDomain P obtained in stage 1, Call P's implies() method with the Permission Does P imply the Permission being checked? If no, Throw an exception Else, Continue O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 90
JAAS / J2SE Authorization Relationship Policy based Uses a "principal" extension Lexically scoped Subject.doAs() & doAsPrivileged take a PrivilegedAction / PrivilegedExceptionAction as an argument But, no doPrivileged() mark O'Reilly v5 - Larry Koved
Authorization algorithm unmodified Copyright 2000 IBM Corp.
Page 91
Sample JAAS Policy Consists of grant entries Describe Permissions granted to CodeSources and Principals Each entry may contain one or more Permissions grant signedBy "mykey", codeBase "file:E:/ORA/app/*"
principal com.esite.WebPrincipal "George" { permission java.lang.RuntimePermission "queuePrintJob"; }; O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 92
Sample JAAS Policy - Roles "Roles" can be assigned to Subjects Authorization performed based on "Role" assigned to subject grant signedBy "mykey", codeBase "file:E:/ORA/app/*"
principal com.eDMV.MethodRole "DMVSupervisor" { permission com.ebank.AccountAccess "CloseAccount"; }; O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 93
Example doAs() Lexically scoped Subject . . . // Authenticate user & build a Subject wUser . . . // Switch to the authenticated user Subject.doAs(wUser, new PrivilegedAction() { public Object Run(){ // Work to be done as wUser requiring // the addition of the user's privileges return processUserRequest(); } } // end of PrivilegedAction ); O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 94
Subject.doAs() Effect Extends the effective ProtectionDomains of methods called after the Subject.doAs() call
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 95
Example scenario Thread / Class
Permissions
Effective Thread Permission
Class 1 { P1, P2 } Class 2 { P1, P3 }
{ P1, P2 } { P1 }
Class 3 { P2 } Class 4 { P1, P5 }
{} {}
checkPermission(P1) fails
Pc1 3 Pc2 3 Pc3 3 Pc4 = { } O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 96
Augmented with doAs() Thread / Class
Class 1 Class 2 doAs(X) Class 3 Class 4
Permissions
Effective Thread Permission
{ P1, P2 } { P1, P2 } { P1, P3 } { P1 } { P1, P4 } { P2, P1, P4 } { P1 } { P1, P5, P4 } { P1 }
checkPermission(P1) succeeds!
Pc1 3 Pc2 3 (Pc3 U PX) 3 (Pc4 U PX) = { P1 } O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 97
Another doAs() scenario Thread / Class
Permissions
Effective Thread Permission
Class 1 { P1, P2 } { P1, P2 } doAs(X) { P2, P3 } Class 2 { P1, P2, P3 } { P1, P2 }
checkPermission(P2) succeeds!
Pc1 3 (Pc2 U PX) = { P1, P2 } O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 98
Another doAs() scenario (con't) Thread / Class
Permissions
Effective Thread Permission
Class 1 { P1, P2 } { P1, P2 } doAs(X) { P2, P3 } Class 2 { P1, P2, P3 } { P1, P2 } doAs(Y) { P1, P3 } Class 2 { P1, P3 } { P1 } checkPermission(P2) fails!
Pc13(Pc2UPX)3(Pc2UPY)={P1} O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 99
Summary Subject.doAs() extends the ProtectionDomains of all classes / methods which the PrivilegedAction object calls The basic CodeSource authorization algorithm is unmodified
O'Reilly v5 - Larry Koved
Subsequent Subject.doAs() calls replace the Subject in the authorization algorithm Copyright 2000 IBM Corp.
Page 100
Example: EJB Authorization Using JAAS EJBRole classes EJBMethodPermission class for EJB method authorization
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 101
EJBRole public class EJBRole extends Principal { private String name; // role name public EJBRole(String roleName) { name = roleName
} public String getName() { return name;
} ...
}
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 102
EJBMethodPermission public class EJBMethodPermission extends Permission { public EJBMethodPermission(String roleName) { super(roleName); } public boolean implies(Permission p) { return equals(p) }; public boolean equals(Permission p) { ... if (! (p instanceof EJBMethodPermission) ) return false; if ( !getName().equals(p.getName()) ) return false; return true; } ... }
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 103
EJBPrivilegedAction public EJBPrivilegedAction implements PrivilegedAction { private EJBMethodPermission methodPermission; private Method ejbMethod; private Object ejbMethodArgs[];
public EJBPrivilegedAction( String deployedEjbApplicationName, String className, String methodName, Method ejbMethodToCall, Object methodArgs[] ){
methodPermission = new EJBMethodPermission( deployedEjbApplicationName + className + methodName); ejbMethod = ejbMethodToCall; ejbMethodArgs = methodArgs; } O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 104
EJBPrivilegedAction public Object run() { SecurityManager sm = System.getSecurityManager(); sm.checkPermission(methodPermission); // use reflection to make the actual method invocation ...
}
}
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 105
Build an EJB Subject ... Subject EjbSubject = new Subject(); Set principals = EjbSubject.getPrincipals(); // Get Role names from the authenticator String [] roleNames = authenticator.getRoleNames(); for (i = 0; i < roleNames.length; i++) principals.add(new EJBRole(roleNames[i]); ...
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 106
EJB Method Authorization and Invocation ... // ejbPrivilegedAction is an array of privileged actions // that implement authorization and call the // associated EJB object. For efficiency, this array // was previously constructed. // use try / catch / finally block to handle // authorization or other failure Subject.doAs(EjbSubject, ejbPrivilegedAction[i]); ... O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 107
Server Managed Security Policy
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 108
Security Policy - Reference Authorization policy nominally stored in an instance of java.security.Policy Reference implementation is file based Loads from lib/security/java.policy and ${user.home}/.java.policy
O'Reilly v5 - Larry Koved
Keystore is file based Location can be defined in the java.policy file Copyright 2000 IBM Corp.
Page 109
Security Policy - Configuration Security configuration parameters stored in lib/security/java.security policy.url.x specifies an enumerated set of URLS from which to load Java security policy policy.url.1=file:/${java.home}/lib/security/java.policy policy.url.2=file:/${user.home}/.java.policy
Based on the flat file format Change/add URLs so policy is server-based policy.url.1=http://CentralServer/javapolicy/java.policy O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 110
Security Policy - Policy class Security configuration parameters stored in lib/security/java.security policy.provider specifies the class that holds/defines security policy policy.provider=sun.security.provider.PolicyFile
Replace class name with alternative XML based PolicyDirector based
O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 111
Security Policy - Keystore Certificate keys specified in the policy file keystore "" Absolute location keystore "http://myserver/ora/keystore Relative to the policy file location keystore ".keystore" Only first keystore allowed Only first keystore statement is processed O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 112
Summary Update java.security file Specify URL(s) for new locations of the java.policy Place keystore location in the java.policy file Update java.security file to specify new Policy object implementation class O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 113
Resources Java 2 Network Security Marco Pistoia, et al Prentice Hall, 1999 ISBN 0-13-015592-6 http://www.research.ibm.com/compsci/security/javasec/ http://java.sun.com/security http://java.sun.com/products/jaas http://java.sun.com/products/ejb Enterprise JavaBeansTM Specification, v1.1 Security: chapter 15 Deployment descriptor: chapter 16 Runtime environment: chapter 18 O'Reilly v5 - Larry Koved
Copyright 2000 IBM Corp.
Page 114