Title: Corporate PPT Template
1(No Transcript)
2Building Secure J2EE Applications With Oracle
Session id40119
- Cary BakkerPrincipal Consultant
- John Gammon
- Principal Consultant
- Adam Leftik
- Sr. Principal Consultant
- Oracle Corporation
3Agenda
- Introduction
- Motivation for POC
- Requirements for solution
- Architectural decisions
- Security Fundamentals
- Security Concepts review
- SSL
- A How To on locking down the system
- Web Client to HTTP Server
- HTTP Server to App Server
- App Server to Database
4Client Motivation
- Aerospace Operation Center (AOC) issues
- Separate Coalition Network
- n as many servers
- n setup time
- Difficult to share data
- Data cleansing process
- Untimely data
- Erroneous data
- Unavailable data
5Solution Requirements
- Multi Level Security (MLS)
- US and Coalition all on single network
- Timely release of data
- Security given highest priority
- Flexible architecture
6Solution Architecture Overview
- SSL Mutual Authentication for all network
communication, lock down all layers - Oracles MVC Framework flexibility for
migration to service oriented architecture
implementation - Oracle Label Security key for MLS and timely
release of information
7Security Concepts Review
- Authentication
- Authorization
- Confidentiality
- Integrity
8Secure Socket Layer Protocol (SSL)
- Client Sends list of cipher suites
- Server responds with the cipher suite
specification and web servers digital certificate
and requests client certificate - Client verifies certificate
- Client generates pre-master secret and encrypts
with servers public key and sends its client
certificate and pre-master secret - Server decrypts pre-master secret with private
key and verifies client certificate - Session key is calculated using pre-master secret
by both parties independently - Session key is used for symmetric key encryption
for rest of the session
9Certificate Verification
- Is this certificate in the CRL?
- Is the certificate within validity period?
- Is the Certificate Authority trusted (chain)?
- Does the issuing certificates public key
validate issuers signature? - (Optional) Does the web server DNS name match the
subjects (server cert) DN? 9i also supports
instance verification via instance name hostname
10Secure Software Architecture
11High-Level Flow
12Oracle Http Server and Mod OSSL
- Provides authentication, confidentiality, and
integrity for communication between web client
and OHS using SSL - Support for majority of cryptographically strong
cipher algorithms - SSL mutual authentication support (two-phase
authentication)
13Key OHS Directives
- LoadModule ossl_module modules/ApacheModuleOSSL.DL
L - SSLWallet file\conf\Apache\Apache\conf
- SSLWalletPassword mypassword
- SSLVerifyClient require
- SSLOptions FakeBasicAuth ExportCertData
CompatEnvVars StrictRequire
14Securing OC4J
- Mod OC4J for proxying requests to OC4J
- AJP over SSL support in 9.04
- IP Checks
- Security Filters
- JAZN provides authentication and authorization
for middle-tier business logic
15Mod OC4J Example
-
- propagate credentials to OC4J
- Oc4jExtractSSL on
-
- SetHandler oc4j-service-handler
- Order deny,allow
- Deny from all
- Allow from localhost
-
-
- Oc4jMount /myapp home
- Oc4jMount /myapp/ home
16Accessing Certificates
- //Servlet sevice method.
- ServetRequest request null
- .
- java.security.cert.X509Certificate certs
request.getAttribute(java.security.cert. - X509Certificate.getClass().getName())
- Principal issuerPrincipal cert0.getIssuerDN()
- Principal subjPrincipal cert0.getSubjectDN()
17Security Filter
18JAZN
- Provides authorization for middle-tier resources
- Makes the J2EE container aware of the
authentication and authorization - Map J2EE Principals and Roles to enterprise data
stores e.g. LDAP - Support for declarative security model in J2EE
e.g. method level permissions in EJB deployment
descriptors
19Database Users and Application Users
- Avoid the One Big Database User
- Leverage auditing
- Allows you to use other security features
- Oracle Label Security
- Secure application roles
20Securing Database Access
21Proxy Authentication
- JDBC OCI connection pool support (Subclass of
OracleDataSource) - A pool of lightweight database sessions created
via app server database user which are
authenticated via SSL mutual authentication - Digital certificates propagated to database
server to authenticate application users creating
a heavyweight session - SSL ensures Middle-Tier and Database trust each
other - Preserves application identities
22Proxy Authentication Example
- CREATE USER APP_SERVER IDENTIFIED GLOBALLY AS
CNAPP_SERVER, CUS - CREATE USER JOHN_ROHLER IDENTIFIED GLOBALLY AS
'CNJon Rohler, CUS' - GRANT "CONNECT" TO APP_SERVER
- ALTER USER JOHN_ROHLER GRANT CONNECT THROUGH
APP_SERVER - GRANT "CONNECT" TO JOHN_ROHLER
- GRANT APPLICATION_ROLE TO JOHN_ROHLER
23Proxy Authentication Example (cont)
- import oracle.jdbc.pool
- ..
- InitialContext ctx new InitialContext()
- OracleOCIConnectionPool ds
(OracleOCIConnectionPool) initial.lookup("jdbc/Ora
cleProxyDS") - Properties props new Properties()
- props.put(OracleOCIConnectionPool.PROXY_CERTIFI
CATE, UsersDERCertRef) - Connection connection pool.getProxyConnection
(OracleOCIConnectionPool. PROXYTYPE_CERTIFICATE,
props)
24Secure Application Roles
- Only allows privileges to schema objects from
specific applications in specific contexts - Reduce the possibility of inside intrusion by
circumventing middle-tier - Network based authorization
25Secure Application Role Example
- CREATE OR REPLACE PACKAGE BODY MY_ROLE IS
- PROCEDURE check_access
- IS
- proxy_usr VARCHAR2 (4000)
- ip_address VARCHAR2 (16)
- BEGIN
- proxy_usr SYS_CONTEXT('userenv','proxy_user')
- ip_address SYS_CONTEXT('userenv','ip_address')
-
- IF proxy_usr APP_SERVER AND ip_address
192.168.1.125 THEN - DBMS_SESSION.SET_ROLE(MY_APPLICATION_ROLE')
- END IF
- END
- END
- /
- GRANT SELECT ON ACCOUNTS TO MY_APPPLICATION_ROLE
- GRANT EXECUTE ON MY_ROLE TO JOHN_ROHLER
- CREATE MY_APPLICATION_ROLE IDENTIFIED USING
schema_owner_for_pl_sql_package.MY_ROLE - GRANT "MY_APPLICATION_ROLE" TO JOHN_ROHLER
26Integration With JDBC Example
- Connection conn null
- CallableStatement cs null
- try
- // get a proxy connection from jdbc oci
connection pool - conn getConnection()
- cs conn.prepareCall(begin
schema_owner.my_role.check_access() end) - cs.execute()
- // now use conn to issue a query against
account table, query will fail if not connecting
from middle tier - catch (SQLException sqle)
- //handle the exception
- finally
- if (conn ! null)
- try conn.close() catch (SQLException
sqle) -
- if (cs ! null)
- trycs.close()catch(SQLException
sqle) -
27Oracle Label Security Row Level Security
- Built on top of VPD
- General purpose row-level authorization
- Based on military classification metaphor
- Flexible Levels, Compartments, Groups
28Oracle Label Example Create Policy and Levels
- EXEC SA_SYSDBA.CREATE_POLICY('MYPOLICY',
'MYCOLUMN', 'READ_CONTROL, WRITE_CONTROL,
CHECK_CONTROL, LABEL_DEFAULT') - EXEC SA_COMPONENTS.CREATE_LEVEL('MYPOLICY',9000,'
C', -
'CLASSIFIED') - EXEC SA_COMPONENTS.CREATE_LEVEL('MYPOLICY',2000,'
HS', - 'HIGHLY_SENSITIVE')
- EXEC SA_COMPONENTS.CREATE_LEVEL('MYPOLICY',1000,'
S', -
'SENSITIVE')
29Oracle Label Example Apply Policy to Table
- EXEC sa_policy_admin.apply_table_policy(
- 'MYPOLICY',
- 'SCHEMAOWNER',
- 'MYTABLE')
30Oracle Label Example Authorize User Labels
- BEGIN
- SA_USER_ADMIN.SET_USER_LABELS(
- POLICY_NAME'MYPOLICY',
- USER_NAME JOHN_ROHLER',
- MAX_READ_LABEL 'C,HS,S',
- MAX_WRITE_LABEL 'C',
- MIN_WRITE_LABEL C)
- END
- /
31Oracle Label Example Apply Labels to Rows
- UPDATE SCHEMAOWNER.TABLE_NAME
- SET MYCOLUMNAME
- char_to_label('MYPOLICY','C')
- WHERE
- MYUNIQUEKEY 'SOMEUNIQUEVALUE'
- INSERT INTO ACCOUNTS (ACCOUNT_NUM) VALUES (1)
- INSERT INTO ACCOUNTS (ACCOUNT_NUM, LABEL_COLUMN)
- VALUES (2, char_to_label(MYPOLICY,C))
- SELECT FROM ACCOUNTS
32Next Steps.
- To request a complimentary 1-on-1 consultation to
begin a personalized assessment of the potential
benefits of an Oracle solution based on your
organizations environment, stop by the Oracle
Consultations area in the Oracle DEMOgrounds
section of the Exhibit Hall. - For information on our services, visit the Oracle
Consulting booth in the Oracle Services area in
the Oracle DEMOgrounds section of the Exhibit
Hall.
33For more information
- TheServerSide.com J2EE Community
- Largest J2EE site in the world
- 305,000 registered members
- Enterprise Java News
- Design Patterns
- Free Books
- Product Reviews
- Articles and Video Interviews
34Reminder please complete the OracleWorld
online session surveyThank you.