Java, JAAS and JBoss Security Michael Clark

Nov 17, 2006

1

Presentation Overview Introduction Application Level Security Java Security Java Authentication and Authorization Services J2EE Security Implementing JAAS with JBoss/Tomcat EJB method security with JBoss/Tomcat

Nov 17, 2006

2

Introduction Basic Security principles Authentication / Non-repudiation Integrity / Access / Authorization Confidentiality / Encryption

Areas of Security Network Security – Firewalls, VPN, SSL, Intrusion detection, ...

OS/Server Security – File permissions/ACLs, PAM, LDAP, Kerberos, ...

Application Security – ?

Nov 17, 2006

3

Application Level Security Common requirements Same basic needs for (AA) Authentication/Authorization Need to integrate with common AA mechanisms such as LDAP authentication and role based authorization

Separation of Concerns Separate security policy from application code – need a way to specify policy outside of the code

Scope / Complexity Enterprise Applications are implemented: – in many different ways, in many different languages, have complex authorization schemes, exposure at many levels  bugs, SQL injection, missed authority checks, ...

Nov 17, 2006

4

Application Level Security (cont.) More complex requirements Method level security – An authentic user is authorized to access this business function. For example:  A staff member in Accounts Payable is authorized to use the cheque printing function

Object level security – An authentic user is authorized to perform this business function on this particular object. For example:  A customer is authorized to make an on-line transaction only from their own account and only for the particular products they are authorized to use

Nov 17, 2006

5

Application Level Security (cont.) Common errors Only check authentication on first page, but this can be bypassed by a hacker to access a protected function Missing authorization check in business logic. – Bank account transfer screen displays accounts the customer is authorized to make transfers on but the transfer business logic doesn't check this when making the transfer – Mistake in assuming that what is visible is what the user is authorized to act on. We need to put authorization in the back business logic first

Missing Validation allowing data injection – SQL injection, File path injection

Nov 17, 2006

6

Java Security Sandbox model Run untrusted code with restricted permissions Control access to restricted resources – Class loading, Thread creation, exitVM, ...  java.io.RuntimePermission

– File system path, read or write access control  java.io.FilePermission

– Network access, address ranges and ports  java.net.SocketPermission

Type safety – can't get references to other objects / memory

Nov 17, 2006

7

Java Security (cont.) Security Manager Default implementation provided (can be replaced) Enforces security policy / access control Not enabled by default when running outside browser Need to specify flags to the JVM to enable java ­Djava.security.manager \      ­Djava.security.policy=myauth.polocy \      com.example.MyClass

Security Policy Contains policy permissions http://java.sun.com/j2se/1.5.0/docs/guide/security/index.html Nov 17, 2006

8

Java Security (cont.) Security Policy Example grant {    permission java.lang.RuntimePermission "getClassLoader";    permission java.lang.RuntimePermission "createClassLoader";    permission java.io.FilePermission "/usr/lib/j2sdk1.5­sun/jre/lib/­", "read"; }; grant codebase "file:/opt/jboss­3.2.7/­" {    permission java.security.AllPermission; }; grant codebase "file:/opt/myapp/­" {    permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getPrincipalInfo";    permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setPrincipalInfo";    permission java.util.PropertyPermission "*", "read";    permission java.net.SocketPermission "*", "resolve,connect";    permission java.lang.RuntimePermission "createClassLoader";    permission java.lang.RuntimePermission "getClassLoader"; ...    permission java.io.FilePermission "/opt/myapp/data/­", "read,write";    permission java.io.FilePermission "/opt/jboss­3.2.7/lib/­", "read";    permission java.io.FilePermission "/opt/jboss­3.2.7/server/default/lib/­", "read"; };

Nov 17, 2006

9

JAAS JAAS JAAS (Java Authentication and Authorization Service) Modeled on Sun's PAM (Pluggable Authentication Modules) Builds on top of Java Security / Access Control Provides a pluggable mechanism to authenticate users – Through the use of LoginModule(s)

Provides for authorization of users – Control access to restricted actions grant Principal org.jboss.security.SimplePrinciple "mclark" {         permission java.io.FilePermission "foo.txt", "read"; };

http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html

Nov 17, 2006

10

J2EE Security Builds on JAAS JAAS provides the authentication and authorization

Method-level Access Control Specified in EJB Assembly Descriptors tags in: ejb­jar.xml Can be used to secure SessionBeans, EntityBeans, MessageQueues Ensures access to all RMI/IIOP calls to the middle-tier are authenticated and the user/principle has the required role

Nov 17, 2006

11

JBoss/Tomcat JAAS Example Requires the following: JBoss JAAS Login module configuration – Specific to a Security Domain – eg. DatabaseLoginModule or LDAPLoginModule – you can write a Custom LoginModule if desired

Users and Roles defined in a database or LDAP directory EJB Application configuration – ejb­jar.xml Assembly Descriptors – jboss.xml Security Domain configuration

Front tier servlet filter to perform JAAS login – The traditional servlet login method can also be used

Nov 17, 2006

12

JBoss LoginModule configuration JBoss Database Login Module config example {jboss­home}/server/default/conf/login­config.xml                                                       org.jboss.security.auth.spi.DatabaseServerLoginModule                              java:/MyDataSource                                  select password from myapp_user                   where email_address = ?                                                 select role_name, role_group                   from myapp_user, myapp_user_role                   where myapp_user.user_id = myapp_user_role.user_id                   and myapp_user.email_address = ?                                 

Nov 17, 2006

13

JBoss LoginModule configuration (cont.) JBoss LDAP Login Module config example {jboss­home}/server/default/conf/login­config.xml                                                                  com.sun.jndi.ldap.LdapCtxFactory                                                      ldap://ldap.mydomain.com.sg:389                                                       simple                                  uid=                                     ,ou=people,dc=mydomain,dc=com,dc=sg                 false                 5000                 ONELEVEL_SCOPE                           

Nov 17, 2006

14

Sample User Database MySQL Example Database DDL /* user table */ create table myapp_user ( user_id full_name email_address password created updated deleted primary key (user_id) );

bigint varchar(60) varchar(60) varchar(20) datetime datetime datetime

not null auto_increment, not null, not null, null, not null, not null, null,

/* role */ create table myapp_user_role ( user_role_id bigint not null auto_increment, user_id bigint not null, role_name varchar(60) not null, role_group varchar(60) not null, primary key (user_role_id), foreign key (user_id) references myapp_user (user_id) );

Nov 17, 2006

15

Sample User Data MySQL Example Data DML insert into myapp_user (user_id, full_name, email_address, password, created, updated) values (1, 'anonymous', 'anonymous', 'anonymous', utc_date, utc_date); insert into myapp_user (user_id, full_name, email_address, password, created, updated) values (2, 'admin', 'admin', 'changeme', utc_date, utc_date); insert into myapp_user (user_id, full_name, email_address, password, created, updated) values (2, 'Scott', '[email protected]', 'tiger', utc_date, utc_date); insert into jobs_user_role (user_role_id, user_id, role_name, role_group) values (1, 1, 'anonymous', 'Roles'); insert into jobs_user_role (user_role_id, user_id, role_name, role_group) values (2, 2, 'admin', 'Roles'); insert into jobs_user_role (user_role_id, user_id, role_name, role_group) values (3, 3, 'member', 'Roles');

Nov 17, 2006

16

EJB Application Configuration ejb­jar.xml fragment                     anonymous          MemberEJB/ejb­name>create          MemberEJBregisterUser          MemberEJBforgotPassword                        member          MemberEJBcreate          MemberEJBlogin          MemberEJBgetResource                        admin          MemberController*           

Nov 17, 2006

17

EJB Application Configuration (cont.) jboss.xml fragment   java:/jaas/my­app   anonymous   ...

Nov 17, 2006

18

Example JAAS Login Servlet Filter import java.io.IOException; import javax.servlet.* import javax.servlet.http.*; import javax.security.auth.login.*; import javax.security.auth.callback.*; import java.util.logging.Logger; public class JAASLoginFilter implements Filter {     private final static Logger log =         Logger.getLogger(JAASLoginFilter.class.getName());     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)         throws IOException, ServletException     {         login(request);         chain.doFilter(request, response);         logout(request);     }     ...     public void init(FilterConfig filterConfig) {}     public void destroy() {} }

Nov 17, 2006

19

Example JAAS Login Servlet Filter (cont.)     static class LoginCallback implements CallbackHandler     {         private String username;         private String password;         protected LoginCallback(String username, String password)         {             this.username = username;             this.password = password;         }         public void handle(Callback[] callbacks)         {             for(int i=0; i